// Subdomain Finder · Certificate Transparency

Find a domain's subdomains.

Enter a domain and get the subdomains that have appeared in public TLS certificates — collected from Certificate Transparency logs. Passive: no port scanning, no DNS brute-force, nothing sent to the target.

Please enter a valid domain name (e.g. example.com).

[ 01 ] — How it works

Subdomains from CT logs.

Certificate Transparency

Every publicly-trusted TLS certificate is logged to public, append-only CT logs. Those certificates name the hostnames they cover — which is where the subdomains come from.

Passive & free

We query crt.sh server-side and dedupe the results. No scanning of the target, no API key, no signup — just the certificate record.

Honest scope

This finds subdomains seen in CT logs — the large majority of internet-facing hosts. It won't find internal-only names, hosts behind wildcard certs, or subdomains that never had a public certificate.

Looking for the full certificate history (issuers, validity, expiry) rather than just the subdomain list? Use the Certificate Transparency log search. For DNS records of a specific host, try the DNS lookup.